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The chip \ \ 

card is a \ 

microcon- \ 

troiler or mem- \ 

ory card with a \ 

full-blown proces- \ 

sor structure, pack- \ 

aged in a plastic card. ' 

Thanks to modern 
semiconductor integra¬ 
tion technology, chip 
cards have the same size as 
credit cards, and are not 
thicker than any magnet strip 
card. This article is intended as 
an introduction to chip card tech 
nology. 


Based on an article by J. Heine 


C HIP cards with a variety of appear¬ 
ances and functions have been 
around since the middle of the nineteen 
seventies. Today, they are used increas¬ 
ingly in, for instance, telephone booths 
(though not yet in the UK) and personnel 
identification and work time logging sys¬ 
tems in large plants and office buildings. 
In some cases, they are also used for elec¬ 
tronic financial transactions. In the near 
future, further measures towards appli¬ 
cation-independent, international, stan¬ 
dardization of the chip card is sure to 
give a tremendous boost to the number of 
applications. This will be helped by much 
reduced productions cost, which goes 
hand in hand with high production vol¬ 
umes. Also, a combined chipcard/magnet 
strip card will soon be unveiled. 

The primary function of a chip card is 
to help identify the rightful owner, or, 
with non-personalized cards, to grant the 
user a certain service for which a remu¬ 


neration is due that is within the limits 
of the ‘value’ of the card. In this respect, 
chip cards are the successors of the wide¬ 
spread ‘flexible friend’, the magnet strip 
card issued by banks and credit card or¬ 
ganizations. The requirements as re¬ 
gards physical and electrical 
characteristics of the chip card are laid 
down in ISO standard 7816, part 3. 

Construction of a chip 
card 

The generic name ‘chip card’ is used to 
cover the following products: 

- Smart Card 

- Memory Card 

- Processor Card 

- Intelligent Card 
-IC card 

These different names already hint at 
differences as regards function and inter¬ 



ns ' ion. According to 

IS \ dard, the name ‘IC Cai 

sho, .d to denote all members 

the chip vard family. 

Magnet strip cards with their pasi 
function and small memory capacii 
(342 bytes) are easily read, copied 
forged. By contrast, chip cards, by vi] 
of their much larger memory capacity (up ' 
to 32 KByte), built-in intelligence and ac-: 
cess lock, offer a much higher degree 
safety against unauthorized use. Yei 
they are relatively cheap to produce. 


Production 

The chip card has the same size as a | 
bank or credit card: 85.6x54x0.76 mm„| 
For mobile telephones and other applicant 
tions where space is restricted, so-called | 
‘Plug-in SIM®’ cards are available with a 
size of 18x28x0.76 mm. The chip proper } 
has a size of 10x10 mm 2 , and is embed-! 5 
ded in plastic carrier material. Because -j 
of the flexibility of the card and other ex¬ 
ternal factors, the carrier ‘floats’ inside a 
clearance in the plastic carrier. The chip ! 
carrier element is produced by covering : : 
both sides of a foil with copper foil. Next, ! 
the contacts and the layout are etched | 
(Fig. 1), and subsequently through-con¬ 
tacted. Onto this composite foil, an 1 
equalizing foil is laminated, from which i 
the clearances for the chip contacts are 
punched. The chip is secured on to the j 
equalizing foil with the aid of silicon rub- j 
ber cement, connected to the conducting i 
foil, and subsequently covered by an- S 
other foil. The rear side of the conducting ] 
foil contains the contacts (shown in the 
form of a punch-out pin feed strip in the 1 
background of Fig. 1), which later forml 
the contacts to the outside world. A fur-j.F 
ther layer of foil, which has clearances off 
the size of the contact elements, is se- j| 
cured at the contact element side of the gj 
conducting foil. The finished carrier ele- .j 
ment is punched out of a larger sheet* ] 
and inserted into the card, which con¬ 
sists of several layers of PVC foil. These | 
make the card resistant against higtij 
temperatures, high humidity, and chemivf 
cals. However, direct heat transfer to the l 
card, as well as electrical noise at the J 
chip contacts (ESD) and excessive strain!J 
caused by bending, should be avoided. 

Block diagram 

The basic elements in a chip card artfj 
shown in Fig. 2. They include: 

- a microcontroller (CPU) 

- a scratch memory (RAM) 

- a program memory (ROM) 

- a data memory (EPROM or EEPROM| ? 

- an input/output block (I/O) 

Depending on the application, memory 
cards may be preferred over process^ 
cards. In the long term, however, 
trend will be towards combination ca 
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Building blocks of a chip card: in 
fvnt, the etched chip carrier element, in the 
ftntre, the (unfinished) card, and in the 
^ background, the punching tape. 


I standardized readers which accept 
es of card. Two of the world’s major 
lit card organizations, VISA and 
ard, already supply combination 
ds which allow users to make credit 
lard purchases in the usual way using 
fog magnetic strip system, as well as 
ke telephone calls with automatic 
nent via their account. In response to 
trend, telephone booths in many 
ntries are rapidly upgraded to accept 
i cards. 

Because of the standardized protocol 
aa regards access, and because their ‘in- 
lligence’ allows them to be tailored to 
protocols, processor-type chip 
.—ds are generally considered the best 
- Candidates to pioneer a universally us- 
ble and global chip card technology. 

Access 

fhe card has six to eight gold-plated con¬ 
tacts with an effective contact area of 

■fc?’ 


irfUl ' 

Fig. 2. The basic architecture of a chip ca 
Is fully equivalent to that of a microcontroll 
system. 
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1.7x2 mm 2 . The two possible positions of 
the contacts on the card are accurately 
defined. The position used depends on 
that of the magnet strip and the printed 
area. 

Chip card readers (also called card 
terminals) are currently available in a 
number of versions, from simple ones 
with spring-operated pin contacts, to 
zero-insertion force types with end 
switches. The ultimate, however, is the 
motor hybrid card reader which automat¬ 
ically moves cards into the contact posi¬ 
tion, and ejects them after reading. 
Figure 7 shows a simple and therefore 
reasonably priced card reader unit with 
pin contacts and an end switch (which 
turns the reader on and off). 

The position of the contact area of a 
telephone card with a fixed number of 
’credit units’ (i.e., cost pulses) is shown in 
Fig. 3. The telephone card is powered by 
a supply voltage of 5 V (Table 1) via con¬ 
tacts Cl and C5 (GND), and has an on- 
card voltage step-up converter for the 
EE PROM programming voltage. A clock 
signal (CLK) is applied to the card via 
contact C3 to enable serial data to be 
conveyed bidirectionally via contact C7 
(I/O). Contact C6 is rarely used in mod¬ 
em card readers. It supplies an external 
programming voltage (V pp ), which is ap¬ 
plied after the card has been identified. 
Only a few types of (by now obsolete) 
cards require this programming voltage. 

Although the functions of contacts C4 
and C8 are ‘reserved’ according to the 
standard, they are not used on most 
cards. Contact C2 functions as a reset 
input which allows the ‘intelligent’ con¬ 
tact with the card to be established, fol¬ 
lowed by an identification operation 



Fig. 3. Location of the eight-way contact are 
on the card. 


contact 

designation 

contact 

designation 

Ci 

VCC (Supply Voitaga) 

C5 

GND (Ground) 

C2 

RST (R«u<) 

C6 

VPP (Programming Voltaga) 

C3 

CLK (Clock Signal) 

C7 

I/O (Input/Output) 


) Ik. 






Table 1. Functions of the electrical contacts 
on the chip card. 


(both according to a protocol described 
further on). 

Programming 

Table 2 lists a number of the largest and 
best known manufacturers of chip cards. 
Philips and OKI concentrate on proces¬ 
sor cores for which extensive develop¬ 
ment systems are available, and 
complete these cores with arithmetic 
processors capable of processing secu- 



Fig. 4. Possible locations of electrical contacts and magnet strips on combination cards. 


















































































































GENERAL INTEREST 


CHIP CARDS 


Manufacturer 

Type 

CPU 

i \ 

<OM 

EEPROM 

Siemens 

SLE 44xx 

8 Bit 

8051 derivative 

128 Byte 

4 kByte 

2 kByte 

Motorola 

68HC05xx 

8 Bit 

6805 

128 Byte 

6 kByte 

3 kByte 

SGS 

ST9 

8 Bit 

6805 derivative 

256 Byte 

20 kByte 

1.5 kByte 

Toshiba 

TOSMART 

8 Bit 

Z80 derivative 

512 Byte 

8 kByte 

8 kByte 

Hitachi 

H8/310 

8 Bit 

H8 

256 Byte 

10 kByte 

8 kByte 

Philips 

83C852 

8 Bit 

80C51 derivative 

256 Byte 

6 kByte 

2 kByte 

OKI 

MSM627xxx 

8 Bit 

8051 derivative 

448 Byte 

14 kByte 

16 kByte 
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Table 2. Overview of microcontroller products and their main features related to chip cards 


address 

number 

fum i 

000 

16 

If 

016 

8 

111111. ...y bits | 

024 

4 

manufacturer and first position of serial number 



0000 ORGA 

ONI 



1000 GDM 

1 



0100 ODS 

2 



1100 Gemplus 

3 



0010 Solaic 

4 



1111 Reserve 

16 

028 

4 

checksum 1 

032 

4 

value of the new card 




1100 1,50 DM 

0010 6,00 DM 

1010 12,00 DM 

1110 60,00 DM 


036 

4 

year of manufacture and second position of serial number 



0000 1980+10 

N2 



1000 1980 + 10 

+ 1 



0100 1980+10 

+ 2 



1100 1980 + 10 

+ 3 



0010 1980 + 10 

+ 4 



1010 1980+0(1) 

+ 5 



1111 1980 + 0 

+ 16 

040 

4 

month of manufacture (0... 11) 




0000 January 

+ 01 N3N4 



1000 February 

+ 02 



0100 March 

+ 03 



1101 December 

+ 12 



1111 

+ 16 

048 

4 

serial number 

N9 

052 

4 

serial number 

N8 

056 

4 

serial number 

N7 

060 

4 

serial number 

N6 

064 

8 

1 residual value of card MSB number of 1-B a 

072 

8 

residual value of card Bits 

b 

080 

8 

residual value of card 

c 

088 

8 

residual value of card 

d 

096 

8 

residual value of card 

e 



residual value of card in pence = 

a-8 4 +b- 8 3 +c -8 2 +C/-8 1 +e *8° 

104 

24 

| dummy bits 11111 ...1 
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Table 3. Functions of the bits sent out by a disposable phonecard (having a fixed equivalent 
value). Example based on a Bundespost (German PTT) phonecard. 


K.6 mm 



Fig. 5. Dimensions of a disposable 
phonecard with a fixed equivalent value. 


rity-sensitive data using encryption algo¬ 
rithms like DES (data encryption stan¬ 
dard). 

Chip cards have astoundingly large 
memory areas. Today, there is nothing 
special about 32 Kbytes of EEPROM, 
32 Kbytes of ROM and 512 bytes of RAM 
contained in a chip card. Such large 
memories speed up arithmetic operations 
considerably, and are a must considering 
that cards are used with ‘signatures’ hav¬ 
ing a length of 512 bits, and algorithms 
with an iteration depth of up to 32 bits to 
encrypt a single block of clear text 
(64 Bytes). The large ROM area provides 
sufficient space for program, look-up and 
encryption tables. The EEPROM loca¬ 
tions are usually reserved for the option 
of running several applications on a sin¬ 
gle card. 

To the electronics hobbyist, only the 
all-EEPROM based chip cards are of pos¬ 
sible interest. These contain a processor 
running a program which only arranges 
the data transfer to and from the EEP¬ 
ROM, and takes care of the serial com¬ 
munication section. Using these basic 
utilities, certain (expired) intelligent 
phonecards may be given a ’second appli¬ 
cation’ using the read-only mode. Most 
ordinary phonecards, however, are use¬ 
less once their credit is used up. 


Identification 

The way chip cards identify themselves 
is standardized and referred to as ‘an¬ 
swer-to-reset’ in ISO 7816-3. The card 
reads a ROM-resident 128-bit wide 
recognition word (max. 256 bytes with 
other cards) containing, amongst others, 
manufacturer data (protocol T=l). This 
word is copied to the card reader via the 
I/O pin. The designation T=_ refers to a 
special protocol which is also specified in 
the ISO standard. Currently, there is 
T=0, T=1 and T=14. 

Cards and countries 

Unfortunately, the use of one and the 
same chip card for a single application 
(for instance, making use of a public tele¬ 
phone anywhere in Europe) is hindered 
by difficulties in equalizing (to a certain 
degree) the tariff structures used in the 
telecommunications field, as well as by 
the lack of identical concepts for secure 
storage of the card’s residual value. The 
two problems are caused by the fact that 
a number of currently applied protocols 


are tailored to one application only. 
Market areas formed by country-specific 
users have caused the introduction of dif¬ 
ferent protocols and sub-protocols into 
the standard. 

Although the ‘answer-to-reset’ proce¬ 
dure is able to identify the protocol used 
by the card, that does not mean that the 
reader system actually supports that 
particular protocol. Consequently, it is 
not yet possible to speak of overall com¬ 
patibility or, indeed, of the cross-frontier 
and totally application-independent chip 
card. 

Compatibility so far only means that 
any chip card’s contact area is to the ISO 
standard, and that the reader performs a 
standard identification check when the 
card is inserted. 

Answer-to-reset obviously works on 
processor cards as well as on their sim¬ 
pler counterparts, memory cards. .The 
identification word provides information 
on electrical and interface data including 

- position of the MSB in the dataword; 

- communication protocol; . 

- clock frequency (internal/extemal); 

- programming voltage (internal/exter¬ 
nal). 

By modifying the associated software, 
and, possibly, the interface, the card 
reader presented in a future article in 
this magazine is capable of reading chip 
cards from different countries, and de¬ 
signed for different applications. 

Protocol 

The initialization sequence shown in 
Fig. 6 should be used to make the chip 
card supply its identification word. The 
word comes out in two chunks: the first 
has 16 bits reserved for the answer-to- 
reset function, the second, 112 bits con¬ 
taining various data as described below 
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and shown in Table 3. The description is 
based on the assumption that a 
Bundespost (German PTT) telephone 
card is inserted into the reader. 

Manufacturer (bits 24 through 27): a 
distinction is made between the manu¬ 
facturers of the raw materials and the 
parts (chips) on the one hand, and the 
manufacturer of the assembly (the chip 
card itself) on the other. 

Value of the new card: two different 
fields allow the card reader to establish 
the total value of the card at manufac¬ 
ture, and the remaining value (once 
credit units have been used up). The ‘full’ 
value of the card allows two different tar¬ 
iff rates to be used automatically, for in¬ 
stance, 25 pence per unit on a card worth 
£5, or 20 pence per unit on a card worth 
£ 20 . 

Date of manufacture: this indicates 
year and month of production. This is not 
the same as the date printed on the card. 
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Serial number: this is the serial num¬ 
ber of the chip. It consists of nine num¬ 
bers, N1 through N9. These numbers are 
appended to the previously mentioned 
information, and are read from bits 24 
through 60. 

Data encryption 

Obviously, data on credit cards and, say, 
health insurance cards is strictly confi¬ 
dential and has to be protected against 
copying and other forms of misuse. Data 
on chip cards is therefore encrypted to 
one of the following standards: 

- DES (data encryption standard), devel¬ 
oped by IBM in 1977, is still among the 
simplest, safest and widest used algo¬ 
rithms. 

- FES (fast data encryption standard) is 
a smaller version of DES using a 
shorter key. The system offers higher 
processing speed at the cost of reduced 



data security. 

- DSA (digital signal algorithm), devel¬ 
oped in 1991 by the NSA (National 
Security Agency) for the purpose of au¬ 
thenticity checking. 

- IDEA (international data encryption al¬ 
gorithm), patent applied for in 1991. 

- RSA Rivest, also known as the ’Shamir 
and Adleman public key method. 

When picking what looks like the best al¬ 
gorithm, the computing power of the mi¬ 
crocontroller used should be taken into 
account to ensure a reasonable trade-off 
between the duration of read/write oper¬ 
ations and data security. 

Applications 

Phonecards are available in two ver¬ 
sions: cards with a credit function (where 
the cost of the call is automatically 
drawn from your bank or girobank ac¬ 
count), and the far more successful cards 
with a fixed equivalent value or a fixed 
number of cost units, for instance, 10 or 
50 units. Although not personalized, the 
latter are still unique because each one 
has a unique serial number. Instead of 
throwing used-up telephone cards away, 
it would be possible to use them as per¬ 
sonal identification cards in a simple 
controlled access system to an office or 
an apartment building, with door locks 
controlled by a card reader and a micro¬ 
controller. Taking this a bit further, it 
would also be possible to extend such a 
system with a ‘person in/out’ recorder 
coupled with time logging. 

(950036) 

For further reading: 

Amphenol, chip card product information 
C702-X, C703, C704, C705, C707, C708. 

OKI, Smart Card product information. 

ISO 177, DIN 66003, ISO 7810, IS078U/1, 
ISO 7811/2, ISO 7811/3, ISO 7811/4* 
ISO 7811/5, ISO 7816-1, IS07816-2, IS07816- 
3, ISO 7816. 

ANSI Data Encryption Algorithm 1, DES 
X3.92-1991. 



Fig. 7. An inexpensive and simple card 
reader with PCB contacts and an end switch. 






is not difficult, it does re- ing the ‘hidden’ push-but- 
quire accuracy and a little ton, SW3. A user key is 
patience. Pay attention to made as follows: insert a 
proper isolation between the blank key, press SW3, and 
parts and the metal screen- then SW1 (‘down’). This pro- 
ing of the plug (which is con- duces a fully charged user 
nected to +5 V). key. If you leave this key in- 

As with all mains-pow- serted in the reader, the sys- 
ered circuits, precautions tem starts to count down the 
should be taken to ensure time units until the load is 
electrical safety. In particu- switched off. 
lar, the circuit must be To charge a user key, first 
earthed, so that it remains insert the master key (D3 
safe if the transformer or the lights), remove it, an then 
relay breaks down. This pre- the user key. Next, adjust 
caution should always be the number of time units to 
observed, unless you are be given by means of push¬ 
dealing with a double-iso- buttons SW1 and SW2. 
lated device, which is diffi- Other keys are charged in 
cult to produce by a the same way. The reader 
hobbyist. Here, the earthing switches to normal mode au- 
is achieved by connecting tomatically if there is no 
the +5 V line to the earth pin push-button activity within 
of the mains plug. Although 10 seconds, 
the mains voltage is only Although the construction 
present at some points at and use of the Telly-Guard 
the rear side of the PCB, you should be within reach of 
must always pull the mains most of you, getting children 
plug before doing any work to accept the principle of 
on the circuit. limited TV viewing time may 

present some fierce prob- 
PrOCtiCQl US© lems initially. (960304) 

Fit jumpers JP1, JP2 and Note: the software men- 
JP3 before you switch on the tioned in this article is avail- 
circuit. These jumpers set able on floppy disk, see page 
the length of a time unit. The 70. 
total number of time units 
which can be charged is ten. 

The available options are 
shown in a separate box. 

Jumper JP4, if fitted, 
gives a ‘magnifying’ effect 
during the last time unit. 

When the available time has 
dropped to one tenth of the 
total time, the LED scale is 
‘magnified’ by ten, and the 
display starts to flash. This 
function is disabled when 
JP4 is not fitted. Your 
choice! 

The circuit is adjustment- 
free. After taking it into use 

for the first time, you should _ 

start by making the ‘master 

key’. This done by inserting Fig. 4. Object code to be loaded 
a blank key, and then press- into the microcontroller. 


S1110100A680B7 04A6FFB705A6. >6A600AB 

S111010EB712B713B714B716B71. 18B71947* 

S111011CB71AB71BB71CB71DB723A614B71527 

S111012AA650B720A614B722A6FFB721A662DE 

S1110138B7081F091D099ACC0142CC01459A53 

S11101469BA601B7233D1A27OAA600B71ACDBF 

S11101540281CC0145B621A1C7220AB621279B 

S111016206CD0287CC0178B621A1EE2606CD8B 

S111017002B5CC01E3CC01459A9BA602B7234D 

S111017E3D1A27 0DA600B71ACD02AECD0281A0 

S111018CCC0145B621A100270AA1EE2706A149 

S111019AFF27022006CD02A5CC01B3CD047CC4 

S11101A82606CD0291CC0178CC01789A9BA654 

S11001B604B723B621A1EE2606CD02B5CC78 

S11001C301E3B621A1C7220AB6212706CDOB 

S10E01D00287CC0178CD047C2606CD0C 

S11101DB02AECC0145CC01B39A9BA603B72318 

S11101E93D19270DA600B719CD02BECD02CDDB 

S11001F7CC0239B621A1EE27 06CD02C4CCFE 

S11102040209CC01E39A9BA605B723CD047C26 

S11102122606CD02D6CC0145B621A1EE260665 

S1110220CD02B5CC01E3B621A1EE270AA1FF61 

S111022E2706CD02CDCC0239CC02099A9BA63C 

S111023C06B723B621A1EE2706A1FF27022054 

S110024A06CD02C4CC0209CD047C2606CDED 

S111025702D6CC01453D19270DA600B719CDDE 

S111026502EFCD02CDCC02393D18270DA600C4 

S10F0273B718CD02DFCD02CDCC0239CC8F 

S111027F0239A6EECD0351811EOOA601B7136D 

S111028DCD048381CD0483B621270C4AA1C77A 

S111029B2302A6C7B721CD035181A60AB71FBF 

S11102A9A600B71E811FOOA600B713811E0019 

S11102B7A601B713B71481A6C7CD035181A6C3 

S11102C50AB71FA600B71E81A605B71FA60024 

S11102D3B71E811F00A600B713B71481B62111 

S11102E1AB14A1C72302A6C7B721CD035181D8 

S11102EFB621A0142A06A1C72302A600B72137 

S11002FDCD035181100299CD032CA680CDB4 

S111030A0339CD0343B710CD0343B7111502D9 

S11103181102B61143B1102608A1C72306A195 

S1110326EE2702A6FF81240414022002150211 

S111033412021302 81AE0849CD032C5A2 6F999 

S111034281AE0812020702004913025A26F582 

S111035081B710100299CD032CA630CD0339CD 

S111035E150211029D9D9D100299CD032CA63F 

S110036C40CD0339B610CD0339B61043CD92 

S11103790339150211029D9D9D100207 02FD1D 

S1110387110281010006A600B71C2014B61C4A 

S1110395A1FF27 0E3C1CB61CA1022506A6FFE4 

S11103A3B719B71C030006A600B71B2014B63A 

S11103B11BA1FF270E3C1BB61BA1022506A6AE 

S11103BFFFB718B71B050006A600B71D2014D3 

S11103CDB61DA1FF27 0E3C1DB61DA10225067C 

S11103DBA6FFB71AB71D8133173A152606A6DA 

S11103E914B7153316B612A114241F0C001CF1 

S11103F73D162704A6002014B612BB12BB123A 

S11104 05BB12BB12BB12BB12BB12BB12BB124A 

S11104133D172734A1652504A601205AA151E6 

S11104212504A6812052A13D2504A6C1204A2F 

S111042FA1292504A6E12042A1152504A6F169 

S111043D203AA1012504A6F92032A6FD202EA6 

S111044BA1B52504A60E201AA1A12504A61E03 

S11104 592012A18D2504A63E200AA1792504B7 

S11104 67A67E2002A6FE3D1327 02A4F73D1434 

S11104752702A4FBB701813D1E26023D1F8114 

S11104 83B600444444A407A100260AA6D0B73C 

S11104911FA602B71E205CA104260AA668B7A7 

S111049F1FA601B71E204EA102260AA6B4B75E 

S11104AD1FA600B71E2040A106260AA65AB7B5 

S11104BB1FA600B71E2032A101260AA62DB7E7 

S11104C91FA600B71E2024A105260AA61EB7F2 

Sill04D71FA600B71E2016A103260AA60FB703 

S11104E51FA600B71E2008A603B71FA600B767 

S11104F31E81A662B7081F09B610B724B61101 

S1110501B725CD03E2CD038A3A202618A65072 

S111050FB7203D1E26043D1F270CB61FA00179 

S111051DB71FB61EA200B71E3A222613A6145C 

S111052BB722CD0301C70021A1FF2602A600BE 

S1110539C7 00120F0905A601CC054DB624B7 64 

S111054710B625B711809BC70010A6F2B701AD 

S1110555CD0568C60010434848AA01B701CD81 

S11105630568CC0551A650B711A6FF4A26FD27 

S10805713A1126F7 8198 

S10407 840769 

S10907F804F501000100FC 

S10507FE0100F4 

S9030000FC 
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READER 


This design answers the widespread interest in 
applications involving smartcards. Chip-type 
telephone cards and credit cards catch the fancy of 
many. Those ol you thinking of fraud at this point need 
not read any further, because that is not possible with 
this design. The circuit is, however, suitable for many 
other interesting applications, so don’t throw away 
those expired telephone cards! 


Centronics 

connector 


green 


Smartcard 

reader 


yellow 


CLOCK 


11 busy! 


' SWITCH 


960310 • 11 


are connected directly to the card is inserted. This switch 
smartcard. The voltage is is also connected to the 
stabilized to some extent by Centronics port, 
electrolytic capacitor Cl. Having built the small 


The smartcard connections board, you may check if it 


One application of the 
smartcard reader could be 
access protection to a pro¬ 
gram you have written your¬ 
self. This means that any 


the green LED, databit 1 the 
red LED, and the yellow LED 
is connected to the power 
supply. The other databits 


Clock and Reset are inputs, 
wile Data is an output. 

The smartcard reader 
unit has a small internal 
switch which checks if a 


work with the aid of the test 
program (test.exe). If this 
test is passed, try 
‘cardtest.exe’, which reads 
and decodes the ATR string. 


user has to insert an autho¬ 
rized smartcard before he or 
she is allowed to use the 
program. Similarly, access 
checking and logging is 
within easy reach. Only a 
handful of parts are needed 
for experiments at home. 
The present design allows, 
for instance, telephone chip- 
cards to be read. The infor¬ 
mation read from such cards 
consists of the serial num¬ 
ber, production date/month, 
and the remaining value. 

The circuit diagram is so 
simple that a description is 
really superfluous. An exter¬ 
nal power supply is not 
needed because the supply 
voltage is stolen from the 
Parallel port. Diodes D1 
|hrough D4 serve to prevent 
short-circuits between the 
databits. Databit 0 controls 
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PCB 

For Windows 



Looking for the price? 

It's just £49.00 all inclusive! 
...no VAT...no postage... 

...no additional charges for 
overseas orders. 

Dealers and distributors 
wanted. 


Visit our WWW site at www.niche.co.uk for more information 
and a working demo. The demo is also available via anonymous FTP 
from ftp.demon.co.uk in the dir/pub/ibmpc/windows/pcbdemo/as 
pcbdemo.zip. Internet e-mail orders@niche.demon.co.uk. 
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[ Niche Software (UK) 


22 Tavistock Drive, Belmont, Hereford, HR2 7XN. 


✓ Produce Single or Double sided PCBs. 

✓ Print out to any Windows supported printer. 

✓ Toolbar for rapid access to commonly used 
components. 

✓ Helpful prompts on screen as you work. 

✓ Pad, track & IC sizes fully customisable. 

✓ No charges for technical support. 

✓ Snap-to grid sizes 0.1", 0.05" 0.025" and 
unrestricted. 

✓ SMT pads and other pad shapes. 

✓ Prints at the resolution of your printer - much 
higher than the screen shot shown here. 


Phone (01432) 355 414 




VISA 



The program is relatively 
simple. There are various 
routines for the basic func¬ 
tions (LED on/off, clock 
high/low, etc.}. The main 
program first checks if a 
card is inserted (‘switch’). If 
so, data are read using the 
ATR (see Ref. 1), and 
checked. If this information 
is okay, it is converted into 
legible text. 


The routine ‘my_card’ 
contains the registration 
number of one of my own 
telephone cards. The num¬ 
ber may be replaced with 
your own number. The green 
LED will light when this 
number matches that on the 
card. If the numbers are dif¬ 
ferent, the red LED lights. 

The program is only in¬ 
tended as a starting point for 


further experiments, you 
can make it as intelligent 
and attractive as you like. 

(960310) 

Note: the software men¬ 
tioned in this article is avail¬ 
able on floppy disk, see page 
70. 

Reference: 

1. Chip Cards, Elektor 
Electronics April 1995. 


COMPONENTS LIST 

R1.R2.R3 aliens 
D1-D4 = 1N4148 
Cl = 10yF16V radial 
LED1 * 3mm dia., yellow 
LED2 = 3mm dia. t red 
LED3 = 3mm dla., green 
Coni = Centronics socket, PCB 
mount, angled pins; 

Con2 * Smartcard reader unit. 
Available from eMedia GmbH, 
Postfach 610106, D-30601 
Hannover, Germany. Price DM 12. 


NEXT MONTH 

another 16-page section of 
Elektor Electronics devoted to 
prize-winning entries from our 
International Circuit Design 
Competition 1995. 

A selection from the subjects: 

» Microcontroller Switching 
Clock RTC56 

»PC-Driven Battery Tester 
»‘Green power' for PCs 
»Hybrid Headphones Amplifier 
»Intelligent Motor Control for 
R/C Models 

»PWM Signal Generator 
Don't miss (he February 1996 Issue! 
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an exploratory 
look at Intelligent 
telephone cards 



Chip cards come in a 
wide variety, and their 
contents seems to 
exert a strong attrac¬ 
tion on many elec¬ 
tronics enthusiasts. 

Disposable tele¬ 
phone cards (some of 
which have become 
collector’s items!) are 
a great starting point 
for many experiments 
in manipulating the 
electronics contained 
in the plastic. Some 
experimenters have 
successfully turned 
expired phonecards 
into electronic ID 
cards for use in con- 
trolled-access sys¬ 
tems. Others, many 
on the ‘hackers’ front, 
use them to find 
weak spots in sys¬ 
tems which have 
been declared totally 
secure. 


By Patrick Gueulle 


Whatever way you want to start exam¬ 
ining the contents of an intelligent 
telephone card, you have to be able to 
communicate with the chip it contains. 
Communication, in turn, requires a 
basic knowledge of the signals trans¬ 
ferred between the card and the 
reader unit. This knowledge, eventu¬ 
ally, brings you to the actual tiling: the 
contents of the memory on the card. 

First: 

the hardware: 

A chip card is a plastic card having the 
same size as a credit card. A very thin 
silicon chip is secured into the plastic 
carrier at an accurately determined 
position. 

Awaiting the arrival and standard¬ 
ization of the contact-less chip card, 
the communication with the reader 
unit is accomplished via six, seven or 


eight flat contacts whose position is 
standardized. 

The pin numbering of the chip con¬ 
tacts is shown in Figure 1 . Actually, the 
proper term for the unit is 'micromod¬ 
ule'. 

Although chips with eight contacts 
are still found occasionally, most mod¬ 
ern cards have only six contacts, the 
ones designated IS04 and ISOS hav¬ 
ing disappeared. 

Contact number IS05 is always 
easy to locate. Representing the 
ground connection, it extends into the 
centre of the micromodule. 

On the card, the chip may have two 
positions. The 'ISO' position shown in 
Figure 2 is the most common these 
days, as it is the only one expected to 
survive in the long term. 

The AFNOR variant shown in Fig¬ 
ure 3 is now obsolete, being a remnant 
of early telephone card series issued in 
France. Millions of these cards are still 
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around, however. 

Not surprisingly, 
most commercially 
available card readers have two con¬ 
tact groups: one for ISO cards, and one 
for AFNOR cards. The contact groups 
are, incidentally, simply connected in 
parallel inside the cardreader. 

Just like any other electronic com¬ 


ponent, a chip card 
has to be powered. 
The main supply 
voltage (V cc ) is +5 V This is applied to 
contact ISOl. 

The oldest cards around (manufac¬ 
tured in NMOS technology) require a 
second supply voltage, V pp . Applied to 
contact IS06, V pp is normally at +5 V, 


... 

Figure 1. Terminal func¬ 
tions for ISO and AFNOR 
hip cards. 




Figure 3. Two AFNOR 

compatible 

phonecards. 


or at +21 V during write operations. 

With so few contacts left on the 
chip, it goes without saying that data 
is exchanged in serial fashion. 

The IS07 contact is reserved for 
data input/output (VO). The use of the 
remaining contacts differs between 
card technologies. 

Here, we limit ourselves to examine 
cards which are called 'synchronous', 
which covers disposable phone-cards. 
After all, these cards are really just pro¬ 
tected memory units. By contrast, 
asynchronous cards contain a micro¬ 
processor. These cards are used for 
much more complex systems requiring 
a higher degree of security, such as 
pay-TV credit cards and electronic wal¬ 
lets. 

Synchronous chip cards operate in 
sequential fashion, using an internal 
address counter which always points 
at the bit which is to be read or writ¬ 
ten. 

These 'micro-instructions' are writ¬ 
ten to the card via two or three con¬ 
tacts, one of which (in principle, IS03), 
acts as a clock. 

Virtually all telephone cards obey 
one of two communication protocols: 
O the 'three-wire' protocol based on 
French technology (currently the 
most widely used in the world); 

O the 'two-wire' protocol based on 
German technology (this is receiv¬ 
ing gradual acceptance in Europe: 
including the UK, Holland, 
Switzerland, etc.. 

Even a cursory look at the tables in 
Figures 4 and 5 reveals the vast differ¬ 
ences between these two protocols, 
which is another way of saying that 
they are incompatible. 

None the less, the general proce¬ 
dure to launch a read operation on a 
card is largely identical for both pro¬ 
tocols: first, the card is powered, and 
then, a 'RESET' micro-instruction is 
issued by the reader. Next, the first 
memory bit may be read via card con¬ 
tact IS07. 

Note, however, that there are cards 
(notably of the 2-wire type) which 
require a pull-up resistor to be present 
between the IS07 contact and V cc , 
because their output is of the 'open 
drain' type. In general, a resistor value 
between 5-kft and 10k£2 is sufficient. 

In order to access the nth bit of the 
memory, the reader has to issue n 'UP' 
micro-instructions before it is able to 
read the relevant bit via the IS07 con¬ 
tact. 

Since no provision is made to 
decrement the address counter, access 
to any 'earlier' memory cell calls for a 
RESET and the relevant number of UP 
instructions to arrive at the desired 
address. So, bits are read in their orig¬ 
inal order for most of the time. 

Under certain conditions deter- 
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Figure 4. The *French 9 
4 protocol t 


ISO 6: Vpp (21V) 

ISO 7: data output 

ISO 8: fuse (do not use) 

ISO 2: 

ISO 4: 

ISO 3: 

micro-instruction 

0 

0 

j 

RESET 

0 

1 

. r 

UP 

1 

1 

n 

PROGRAM (0-+1) 


Figure 5. The ‘German’ 
5 protocol £ 


ISO 6: not connected 

ISO 7; data 

ISO 2: 

ISO 3: 

micro-instruction 

1 

r 

RESET 

0 

r 

UP 


0 

PROGRAM (1-+0) 

0 


link these two sequences 


mined by the security logic imple¬ 
mented on the card, one specific 
instruction, PROGRAM, allows a card 
to be written to: that is, a 0 changed 
into a 1 on Trench' cards, or a 1 into 
a 0, on 'German' cards. 

And then: software 

If different communication protocols 
are used for cards of the French and 
German type, then what about their 
memory contents? 

A first-generation French phone 
card ("TeleCarte" in French) contains 
nothing but a 256-bit EPROM. 
Although all of these bits may be read, 
only the first 96 may be programmed 
by the factory because they are pro¬ 
tected by an on-chip fuse (at the IS08 
contact) which is blown at the end of 
the production process. 

This group of 96 bits is unique for 
each individual card: it contains a 'ser¬ 
ial number' and an 'authentication 
message'. These two pieces of infor¬ 
mation allow each individual card to 
be recognized. Although the first and 
foremost aim of this protection is, of 
course, to prevent card cloning, the 
system also allows faulty cards to be 
detected. 

This unique matrix is, of course, a 
godsend for anyone wanting to build, 
say, an electronic lock which only rec¬ 
ognizes a few authorized cards. All 
you have to do is make the reader per¬ 
form a check on the 96 bits. Bit num¬ 
bers 8 through 15 in this block provide 


the 'application code' of the card. This 
code may have the hexadecimal value 
03, 04, 05 or 06 for a French Telecard, 
while any value greater than or equal 
to 80 indicates a different application. 
The story behind this is that France 
Telecom has succeeded in forcing chip 
card manufacturers to pre-program 
bit 8 on cards intended for all other 
customers. 

The entire area from location 96 


this technology to 150 phone billing 
units. In France, these cards have a 
value of 5, 50 or 120 units, which 
means that each expired (empty) Tele¬ 
card still contains a number of bits 
which may be changed from 0 to 1 in 
the course of experimental manipula¬ 
tions. 

Figure 7, for example, shows the 
memory contents of a new, unused 50- 
units phone card. The contents of the 


o “France Telecom” bit 



through 255 is used for automatic 
counting of phone billing units. Ini¬ 
tially, all bits are at 0, and these are 
replaced with Ts at a rate of billing 
units 'consumed' as you phone away. 

In theory, the capacity of such a 
card would be 160 units. In practice, 
however, 10 units are 'burned' by the 
card factory for testing purposes, lim¬ 
iting the credit value of cards based on 


Figure 6. Memory 
structure of a French 
Telecard i 

same card, but then empty, is given in 
Figure 8 (note the 8 last bits which 
remain at logic 1 although all the 
card's worth has been used up). Fig¬ 
ure 9 shows how an appropriate piece 
of software is capable of deciphering 
the 256 bits on the card, and turn them 


Figure 8. The same Telecard, empty. 
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Figure 7. French Telecard , 50 units, 

unused. 
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Chip Type: 

Family Code: 

Serial Number: 
Authenticity Message: 
Programming Parameters: 
Sen/ice Code: 

Total Value: 

Used Up: 

No Remaining Credit 


Texas or EEPROM 
05 (Phonecard) 
59142288 
33EE 
1 (50ms I21V) 
0 (disposable card) 
06 (50 units) 
50 units 


Figure 9. Interpretation (by a speciai program) 
of the data read from the card in Figure 8. 


10 


Figure 10. Memory counter of an empty Spanish Telecard, 
with an original worth 1,000 ptas. 
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Figure It. Memory structure of a German 
phonecard (old version). 


Figure 12. Read result of the 512 bits in an empty German 
phonecard (old version). The same area of 128 bits 
appears four times. 
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into a maximum amount of meaning¬ 
ful data. Some countries (in particular, 
Spain and the Croatian Republic) use 
a much more intricate 'counting 
scheme' which allows the apparent 
limit of 150 units to be exceeded. With¬ 
out going into details, this result may 
be explained by the fact that certain 
bits represent a value of several billing 
units, as illustrated by the example in 
Figure 10 (memory contents of an 
empty Spanish phone card with an 
original value of 1,000 ptas). 

Developed a couple of years after the 
French version, the German phone 
card ("Telefonkarte") has been able to 
benefit from a more modern technol¬ 
ogy, namely CMOS EEPROM. 

However if you say EEPROM you 
also say 'possibility to erase and 
rewrite'. Also, the basic operation of 
these cards is radically different from 
the early French ones. 

The table shown in Figure 11 
shows that the basic German phone 
card is set up around a memory of 
104 bits. If you attempt to read bits 104 
through 127, you invariably get 24 
logic ones. From address 128 onwards, 
a mirror-image is found of the con¬ 
tents starting at 0. In other words, the 
address counter returns to the start in 
cyclic fashion. The first 64 bits may be 
compared to the first 96 on the French 
phonecard, in the sense that they also 
contain card identification data. 

Bits 0 to 11 contain a 'silicon num¬ 
ber' which is programmed in the chip 
when it is manufactured. This number 
may be the same in a (very) large 
number of cards. 

The next eight bits are, in principle, 
identical for all cards from a nation¬ 
wide operating telephone company 
(FF h in Germany, 7F h in Holland, BF h 
in Guernsey, 2F h in Great Britain, etc.). 

Bits 24 to 27 identify the card 
maker, for example, 0^ for ORGA, 8^ 
for Giesecke & Devriendt, 4 h for ODS, 
Ch for Gemplus, 2 h for Soliac, 9^ for 
GPT, etc. For really unique data, how¬ 
ever, we have to look in the area 
reserved for the billing units counter. 
This area is effectively divided into five 
counters: four of eight bits, and one of 
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Figure 13. Eurochip 
memory structure. 

five bits, whose function may be 
likened to that of an abacus. Each 
billing unit (or credit) you use up in a 
public phone booth is accounted for 
by a logic 1 changing into a 0 in the 
'units 7 counter occupying the address 
range from 96 to 103. Once this area 
is full (in other words, when its eight 
bits are at logic 0), a bit is set to 0 in the 
next counter (the x8 units one). This 
operation also resets the eight bits in 
the 'units 7 counter to logic 1. In the 
same way, a 'carry-over 7 is written into 
the x 64 units counter once the 8 units 


counter is emptied, and the same 
again with the last counter, which 
counts by 4,096 units. 

Manufacturers of integrated circuits 
for use on chip cards always state that 
this 'counting scheme 7 allows a phone 
card to be produced representing a 
total of 20,480 phone billing units with 
just 37bits (8x8x8x8x5 = 20,480). 

A little arithmetic reasoning how¬ 
ever reveals that the above is a gross 
error which no-one seems to have 
noticed for years! In actual fact, the 
capacity of the counter array is 
25,160 units. Whatever the exact num¬ 
ber, that's far more than the 160 units 
of a 256-bit EPROM card, and it real 


Figure T4L Read result of the 512 bits irra Eurachip-based 
phonecarct The first 128 bits are compatible with the older 
i versions,i 
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currency units like pence, cents or 
pfennigs to be counted directly, and 
not just those strange 0.80 FF units as 
in France. This advantage allows 
phone companies to charge calls 
depending on the actual duration 
(even down to seconds if so desired). 
On the down side, this technology has 
an Achilles heel in that it is possible for 
a user to re-charge his card himself, 
and so telephone for free. To prevent 
this kind of fraud, the card providers 
pre-load the counters in the factory, so 
that the 'units 7 which may be used up 
again are an exact match of the value 
printed on the card. So, on an 'empty 7 
German phonecard (Figure 12), all bits 
of all counters are at 0. 

This simple security measure was, 
apparently, not sufficient, witness the 
proposals for a more sophisticated 
technology designated 'Eurochip 7 . 

Figure 13 shows that the first 128 
bits are compatible with those we just 
examined. Only instead of three 'mir¬ 
rored 7 areas, the memory area cover¬ 
ing bit 128 to 511 contains only ones, 
interspersed with the occasional 0 as 
illustrated in Figure 14. 

As you might well imagine, this 
area has a definite function in an 
encrypted security mechanism as, for 
instance, used in safes. 

Top-secret for obvious reasons, this 
mechanism is based on the 'challenge- 
response 7 principle. The intention is to 
fit every public telephone booth with 
a security module in the form of a card 
containing a miniature chip. This mod¬ 
ule frequently sends a random num¬ 
ber to the Telecard. This number is 
used by the card to perform a secret 
calculation. 

Once returned to the security mod¬ 
ule, the result of the calculation is sup¬ 
posed to enable the module to run an 
error-free check on the authenticity of 
the card, and the financial transaction 
in progress. 

There are now grave doubts 
whether the French T2G second-gen¬ 
eration Telecard will ever make it to 
commercial use. This card employs a 
related mechanism, although it 
remains compatible with the 'first-gen¬ 
eration 7 cards which are currently used 
in France. 

At this point many Frenchmen will 
wonder if the arrival of a single Euro¬ 
pean phone card, that is, one which is 
usable across all European borders (in 
as far as these exist), will mean the end 
of many years of pioneering research 
in their country. (96oiu) 
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